From f7dbe73a216967b385f575da63f1cc6e86b44e27 Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Tue, 29 Oct 2024 19:44:56 -0700 Subject: [PATCH 1/5] feat(modules): Support for Govcloud account/org for fedramp Change summary: ----------------- 1. Added support to install govcloud single account and org in foundational onboarding module. 2. Added same support in config-posture module. 3. Added same support in event-bridge module. 4. Updated and cleaned up the READMEs of the modules. 5. Added tests for foundational and event-bridge single and org installs. --- modules/config-posture/README.md | 20 +++++--- modules/config-posture/main.tf | 31 +++++++----- modules/config-posture/organizational.tf | 8 ++-- modules/config-posture/variables.tf | 6 +++ modules/config-posture/versions.tf | 3 +- modules/integrations/event-bridge/README.md | 3 ++ modules/integrations/event-bridge/main.tf | 23 +++++---- .../event-bridge/organizational.tf | 9 ++-- .../event-bridge/stackset_template_body.tpl | 2 +- .../integrations/event-bridge/variables.tf | 6 +++ modules/integrations/event-bridge/versions.tf | 3 +- modules/onboarding/README.md | 36 +++++++++----- modules/onboarding/main.tf | 47 ++++++++++++++----- modules/onboarding/organizational.tf | 15 ++++-- modules/onboarding/outputs.tf | 5 ++ modules/onboarding/variables.tf | 5 ++ modules/onboarding/versions.tf | 3 +- .../examples/organization/event_bridge_gov.tf | 29 ++++++++++++ .../organization/onboarding_with_cspm_gov.tf | 41 ++++++++++++++++ .../single_account/event_bridge_gov.tf | 27 +++++++++++ .../onboarding_with_cspm_gov.tf | 37 +++++++++++++++ 21 files changed, 295 insertions(+), 64 deletions(-) create mode 100644 test/examples/organization/event_bridge_gov.tf create mode 100644 test/examples/organization/onboarding_with_cspm_gov.tf create mode 100644 test/examples/single_account/event_bridge_gov.tf create mode 100644 test/examples/single_account/onboarding_with_cspm_gov.tf diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index 442e9ee..dfc2dc8 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -10,6 +10,8 @@ The following resources will be created in each instrumented account: If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account. +If instrumenting an AWS Gov account/organization, IAM policies and resources will be created in `aws-us-gov` region. + ## Requirements @@ -32,29 +34,35 @@ No modules. | Name | Type | |------|------| +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachments_exclusive.cspm_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource | +| [aws_iam_role_policy.cspm_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [sysdig_secure_cloud_auth_account_component.config_posture_role](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account_component) | resource | | [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource | | [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource | -| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source | | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes | -| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes | | [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no | | [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no | | [org\_units](#input\_org\_units) | Org unit id to install cspm | `set(string)` | `[]` | no | | [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no | -| [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no | | [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | | [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | +| [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | +| [is\_gov\_cloud](#input\_is\_gov\_cloud) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [config\_posture\_component\_id](#output\_config\_posture\_component\_id) | The component id of the config posture trusted identity | ## Authors diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index 799aa8a..b2a5a61 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -1,19 +1,28 @@ -// generate a random suffix for the config-posture role name +#----------------------------------------------------------------------------------------- +# Fetch the data sources +#----------------------------------------------------------------------------------------- + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "aws" +} +data "sysdig_secure_tenant_external_id" "external_id" {} + +#---------------------------------------------------------- +# Fetch & compute required data +#---------------------------------------------------------- + +// generate a random suffix for the config-posture role name resource "random_id" "suffix" { byte_length = 3 } locals { config_posture_role_name = "sysdig-secure-posture-${random_id.suffix.hex}" + trusted_identity = var.is_gov_cloud ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + arn_prefix = var.is_gov_cloud ? "arn:aws-us-gov" : "arn:aws" } -data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { - cloud_provider = "aws" -} - -data "sysdig_secure_tenant_external_id" "external_id" {} - #---------------------------------------------------------- # Since this is not an Organizational deploy, create role/polices directly #---------------------------------------------------------- @@ -28,7 +37,7 @@ resource "aws_iam_role" "cspm_role" { "Sid": "", "Effect": "Allow", "Principal": { - "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}" + "AWS": "${local.trusted_identity}" }, "Action": "sts:AssumeRole", "Condition": { @@ -45,7 +54,7 @@ EOF resource "aws_iam_role_policy_attachments_exclusive" "cspm_role_managed_policy" { role_name = aws_iam_role.cspm_role.id policy_arns = [ - "arn:aws:iam::aws:policy/SecurityAudit" + "${local.arn_prefix}:iam::aws:policy/SecurityAudit" ] } @@ -70,8 +79,8 @@ resource "aws_iam_role_policy" "cspm_role_policy" { ] Effect = "Allow" Resource = [ - "arn:aws:waf-regional:*:*:rule/*", - "arn:aws:waf-regional:*:*:rulegroup/*" + "${local.arn_prefix}:waf-regional:*:*:rule/*", + "${local.arn_prefix}:waf-regional:*:*:rulegroup/*" ] }, { diff --git a/modules/config-posture/organizational.tf b/modules/config-posture/organizational.tf index 3c4080c..01e74f0 100644 --- a/modules/config-posture/organizational.tf +++ b/modules/config-posture/organizational.tf @@ -45,13 +45,13 @@ Resources: Statement: - Effect: Allow Principal: - AWS: [ ${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity} ] + AWS: [ ${local.trusted_identity} ] Action: [ 'sts:AssumeRole' ] Condition: StringEquals: sts:ExternalId: ${data.sysdig_secure_tenant_external_id.external_id.external_id} ManagedPolicyArns: - - "arn:aws:iam::aws:policy/SecurityAudit" + - "${local.arn_prefix}:iam::aws:policy/SecurityAudit" Policies: - PolicyName: ${local.config_posture_role_name} PolicyDocument: @@ -67,8 +67,8 @@ Resources: - "waf-regional:ListRules" - "waf-regional:ListRuleGroups" Resource: - - "arn:aws:waf-regional:*:*:rule/*" - - "arn:aws:waf-regional:*:*:rulegroup/*" + - "${local.arn_prefix}:waf-regional:*:*:rule/*" + - "${local.arn_prefix}:waf-regional:*:*:rulegroup/*" - Sid: "ListJobsOnConsole" Effect: "Allow" Action: "macie2:ListClassificationJobs" diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index e1ffcd0..6539f57 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -45,3 +45,9 @@ variable "sysdig_secure_account_id" { type = string description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)" } + +variable "is_gov_cloud" { + type = bool + default = false + description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not" +} \ No newline at end of file diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf index 7ebfef6..623d009 100644 --- a/modules/config-posture/versions.tf +++ b/modules/config-posture/versions.tf @@ -6,7 +6,8 @@ terraform { version = ">= 5.60.0" } sysdig = { - source = "sysdiglabs/sysdig" + source = "local/sysdiglabs/sysdig" // TODO: remove after test + version = "~> 1.0.0" } } } diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md index d4ef423..f01c624 100644 --- a/modules/integrations/event-bridge/README.md +++ b/modules/integrations/event-bridge/README.md @@ -11,6 +11,8 @@ When run in Organizational mode, this module will be deployed via CloudFormation This module will also deploy an Event Bridge Component in Sysdig Backend for onboarded Sysdig Cloud Account. +If instrumenting an AWS Gov account/organization, IAM policies and event bridge resources will be created in `aws-us-gov` region. + ## Requirements @@ -72,6 +74,7 @@ No modules. | [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | | [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | | [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes | +| [is\_gov\_cloud](#input\_is\_gov\_cloud) | true/false whether Event Bridge should be deployed in a govcloud account/org or not | `bool` | `false` | no | ## Outputs diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf index 1ae99b5..a2eea6e 100644 --- a/modules/integrations/event-bridge/main.tf +++ b/modules/integrations/event-bridge/main.tf @@ -26,7 +26,10 @@ data "sysdig_secure_tenant_external_id" "external_id" {} # These locals indicate the region list passed. #----------------------------------------------------------------------------------------- locals { - region_set = toset(var.regions) + region_set = toset(var.regions) + trusted_identity = var.is_gov_cloud ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + target_event_bus_arn = var.is_gov_cloud ? data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARNGov : data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN + arn_prefix = var.is_gov_cloud ? "arn:aws-us-gov" : "arn:aws" } #----------------------------------------------------------------------------------------- @@ -79,7 +82,7 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_admin_r count = !var.auto_create_stackset_roles ? 0 : 1 role_name = aws_iam_role.event_bus_stackset_admin_role[0].id policy_arns = [ - "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" + "${local.arn_prefix}:iam::aws:policy/AWSCloudFormationFullAccess" ] } @@ -104,7 +107,7 @@ resource "aws_iam_role" "event_bus_stackset_execution_role" { { "Action": "sts:AssumeRole", "Principal": { - "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.event_bus_stackset_admin_role[0].name}" + "AWS": "${local.arn_prefix}:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.event_bus_stackset_admin_role[0].name}" }, "Effect": "Allow", "Condition": {} @@ -118,8 +121,8 @@ resource "aws_iam_role_policy_attachments_exclusive" "event_bus_stackset_executi count = !var.auto_create_stackset_roles ? 0 : 1 role_name = aws_iam_role.event_bus_stackset_execution_role[0].id policy_arns = [ - "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess", - "arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess" + "${local.arn_prefix}:iam::aws:policy/AWSCloudFormationFullAccess", + "${local.arn_prefix}:iam::aws:policy/AmazonEventBridgeFullAccess" ] } @@ -149,7 +152,7 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" { { "Action": "sts:AssumeRole", "Principal": { - "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}" + "AWS": "${local.trusted_identity}" }, "Effect": "Allow", "Condition": { @@ -163,7 +166,6 @@ resource "aws_iam_role" "event_bus_invoke_remote_event_bus" { EOF } - resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" { name = local.eb_resource_name role = aws_iam_role.event_bus_invoke_remote_event_bus.id @@ -176,7 +178,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" { ] Effect = "Allow" Resource = [ - data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN, + "${local.target_event_bus_arn}", ] }, { @@ -187,7 +189,7 @@ resource "aws_iam_role_policy" "event_bus_invoke_remote_event_bus_policy" { ] Effect = "Allow" Resource = [ - "arn:aws:events:*:*:rule/${local.eb_resource_name}", + "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}", ] }, ] @@ -226,7 +228,8 @@ resource "aws_cloudformation_stack_set" "primary-acc-stackset" { name = local.eb_resource_name event_pattern = var.event_pattern rule_state = var.rule_state - target_event_bus_arn = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN + arn_prefix = local.arn_prefix + target_event_bus_arn = local.target_event_bus_arn }) depends_on = [ diff --git a/modules/integrations/event-bridge/organizational.tf b/modules/integrations/event-bridge/organizational.tf index fbd8c71..53230e4 100644 --- a/modules/integrations/event-bridge/organizational.tf +++ b/modules/integrations/event-bridge/organizational.tf @@ -38,7 +38,8 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" { name = local.eb_resource_name event_pattern = var.event_pattern rule_state = var.rule_state - target_event_bus_arn = data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN + arn_prefix = local.arn_prefix + target_event_bus_arn = local.target_event_bus_arn }) } @@ -79,7 +80,7 @@ Resources: Action: 'sts:AssumeRole' - Effect: "Allow" Principal: - AWS: "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}" + AWS: "${local.trusted_identity}" Action: "sts:AssumeRole" Condition: StringEquals: @@ -91,12 +92,12 @@ Resources: Statement: - Effect: Allow Action: 'events:PutEvents' - Resource: ${data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN} + Resource: "${local.target_event_bus_arn}" - Effect: Allow Action: - "events:DescribeRule" - "events:ListTargetsByRule" - Resource: "arn:aws:events:*:*:rule/${local.eb_resource_name}" + Resource: "${local.arn_prefix}:events:*:*:rule/${local.eb_resource_name}" TEMPLATE } diff --git a/modules/integrations/event-bridge/stackset_template_body.tpl b/modules/integrations/event-bridge/stackset_template_body.tpl index d4befe1..67e7b81 100644 --- a/modules/integrations/event-bridge/stackset_template_body.tpl +++ b/modules/integrations/event-bridge/stackset_template_body.tpl @@ -9,4 +9,4 @@ Resources: Targets: - Id: ${name} Arn: ${target_event_bus_arn} - RoleArn: !Sub "arn:aws:iam::$${AWS::AccountId}:role/${name}" + RoleArn: !Sub "${arn_prefix}:iam::$${AWS::AccountId}:role/${name}" diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf index dbc76f1..18c24fd 100644 --- a/modules/integrations/event-bridge/variables.tf +++ b/modules/integrations/event-bridge/variables.tf @@ -100,4 +100,10 @@ variable "stackset_execution_role_name" { variable "sysdig_secure_account_id" { type = string description = "ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)" +} + +variable "is_gov_cloud" { + type = bool + default = false + description = "true/false whether EventBridge should be deployed in a govcloud account/org or not" } \ No newline at end of file diff --git a/modules/integrations/event-bridge/versions.tf b/modules/integrations/event-bridge/versions.tf index ffc5d6d..6993c15 100644 --- a/modules/integrations/event-bridge/versions.tf +++ b/modules/integrations/event-bridge/versions.tf @@ -6,7 +6,8 @@ terraform { version = ">= 5.60.0" } sysdig = { - source = "sysdiglabs/sysdig" + source = "local/sysdiglabs/sysdig" // TODO: remove after test + version = "~> 1.0.0" } random = { source = "hashicorp/random" diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index d3b10e5..4fecb33 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -8,7 +8,9 @@ The following resources will be created in each instrumented account: - `arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess` (for organizational setup) - An Access Policy attached to this role using a Sysdig provided `ExternalId`. -If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account. +If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account. + +If instrumenting an AWS Gov account/organization, IAM policies and resources will be created in `aws-us-gov` region. ## Requirements @@ -16,13 +18,13 @@ If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.62.0 | +| [aws](#requirement\_aws) | >= 5.60.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.62.0 | +| [aws](#provider\_aws) | >= 5.60.0 | ## Modules @@ -32,29 +34,41 @@ No modules. | Name | Type | |------|------| +| [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_iam_role.onboarding_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.onboarding_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachments_exclusive.onboarding_role_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachments_exclusive) | resource | +| [sysdig_secure_cloud_auth_account.cloud_auth_account](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_cloud_auth_account) | resource | | [aws_cloudformation_stack_set.stackset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource | | [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource | -| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [sysdig_secure_organization.aws_organization](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_organization) | resource | +| [sysdig_secure_trusted_cloud_identity.trusted_identity](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_trusted_cloud_identity) | data source | +| [sysdig_secure_tenant_external_id.external_id](https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/data-sources/secure_tenant_external_id) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | -| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [external\_id](#input\_external\_id) | Random string generated unique to a customer | `string` | n/a | yes | -| [trusted\_identity](#input\_trusted\_identity) | The name of sysdig trusted identity | `string` | n/a | yes | | [failure\_tolerance\_percentage](#input\_failure\_tolerance\_percentage) | The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region | `number` | `90` | no | | [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no | -| [org\_units](#input\_org\_units) | Org unit id to install cspm | `set(string)` | `[]` | no | -| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no | -| [role\_name](#input\_role\_name) | The name of the IAM Role that will be created. | `string` | `"sysdig-secure"` | no | +| [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | Org unit ids to install onboarding | `set(string)` | `[]` | no | +| [region](#input\_region) | Default region for resource creation in organization mode | `string` | `""` | no | | [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | | [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | +| [account_alias](#input\_account\_alias) | Alias name of the AWS account | `string` | `""` | no | +| [is\_gov\_cloud](#input\_is\_gov\_cloud) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created | +| [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire AWS organization or not | +| [organizational\_unit\_ids](#output\_organizational\_unit\_ids) | organizational unit ids onboarded | +| [is\_gov\_cloud](#output\_is\_gov\_cloud) | Boolean value to indicate if the govcloud account/organization is onboarded | ## Authors diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index d2ba689..46fab59 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -1,3 +1,13 @@ +#----------------------------------------------------------------------------------------- +# Fetch the data sources +#----------------------------------------------------------------------------------------- + +data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { + cloud_provider = "aws" +} + +data "sysdig_secure_tenant_external_id" "external_id" {} + #---------------------------------------------------------- # Fetch & compute required data #---------------------------------------------------------- @@ -9,14 +19,10 @@ resource "random_id" "suffix" { locals { onboarding_role_name = "sysdig-secure-onboarding-${random_id.suffix.hex}" + trusted_identity = var.is_gov_cloud ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + arn_prefix = var.is_gov_cloud ? "arn:aws-us-gov" : "arn:aws" } -data "sysdig_secure_trusted_cloud_identity" "trusted_identity" { - cloud_provider = "aws" -} - -data "sysdig_secure_tenant_external_id" "external_id" {} - #---------------------------------------------------------- # Since this is not an Organizational deploy, create role/polices directly #---------------------------------------------------------- @@ -31,7 +37,7 @@ resource "aws_iam_role" "onboarding_role" { "Sid": "", "Effect": "Allow", "Principal": { - "AWS": "${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity}" + "AWS": "${local.trusted_identity}" }, "Action": "sts:AssumeRole", "Condition": { @@ -49,12 +55,30 @@ EOF } } +resource "aws_iam_role_policy" "onboarding_role_policy" { + name = local.onboarding_role_name + role = aws_iam_role.onboarding_role.id + policy = jsonencode({ + Statement = [ + { + Sid = "AccountManagementReadAccess" + Action = [ + "account:Get*", + "account:List*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + resource "aws_iam_role_policy_attachments_exclusive" "onboarding_role_managed_policy" { + count = var.is_organizational ? 1 : 0 role_name = aws_iam_role.onboarding_role.id - policy_arns = compact([ - "arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess", - var.is_organizational ? "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" : "" - ]) + policy_arns = [ + "${local.arn_prefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess" + ] } data "aws_caller_identity" "current" {} @@ -64,6 +88,7 @@ resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" { provider_id = data.aws_caller_identity.current.account_id provider_type = "PROVIDER_AWS" provider_alias = var.account_alias + regulatory_framework = var.is_gov_cloud ? "REGULATORY_FRAMEWORK_US_FEDRAMP" : "" component { type = "COMPONENT_TRUSTED_ROLE" diff --git a/modules/onboarding/organizational.tf b/modules/onboarding/organizational.tf index c53a1e5..b3d4b65 100644 --- a/modules/onboarding/organizational.tf +++ b/modules/onboarding/organizational.tf @@ -45,14 +45,23 @@ Resources: Statement: - Effect: Allow Principal: - AWS: [ ${data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity} ] + AWS: [ ${local.trusted_identity} ] Action: [ 'sts:AssumeRole' ] Condition: StringEquals: sts:ExternalId: ${data.sysdig_secure_tenant_external_id.external_id.external_id} + Policies: + - PolicyName: ${local.onboarding_role_name} + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "account:Get*" + - "account:List*" + Resource: "*" ManagedPolicyArns: - - "arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess" - - "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess" + - "${local.arn_prefix}:iam::aws:policy/AWSOrganizationsReadOnlyAccess" TEMPLATE } diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index dc16a86..a806edd 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -12,3 +12,8 @@ output "organizational_unit_ids" { value = var.organizational_unit_ids description = "organizational unit ids to onboard" } + +output "is_gov_cloud" { + value = var.is_gov_cloud + description = "onboard the govcloud account/organization" +} \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index e6e0461..7f67520 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -47,3 +47,8 @@ variable "account_alias" { default = "" } +variable "is_gov_cloud" { + type = bool + default = false + description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not" +} \ No newline at end of file diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 17c7f6b..960bfa8 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -10,7 +10,8 @@ terraform { version = ">= 3.1" } sysdig = { - source = "sysdiglabs/sysdig" + source = "local/sysdiglabs/sysdig" // TODO: remove after test + version = "~> 1.0.0" } } } diff --git a/test/examples/organization/event_bridge_gov.tf b/test/examples/organization/event_bridge_gov.tf new file mode 100644 index 0000000..e20a041 --- /dev/null +++ b/test/examples/organization/event_bridge_gov.tf @@ -0,0 +1,29 @@ +#--------------------------------------------------------------------------------------------- +# Ensure installation flow for foundational onboarding has been completed before +# installing additional Sysdig features. +#--------------------------------------------------------------------------------------------- + +module "event-bridge" { + source = "../../../modules/integrations/event-bridge" + regions = ["us-gov-east-1"] + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id + is_organizational = module.onboarding.is_organizational + org_units = module.onboarding.organizational_unit_ids + is_gov_cloud = module.onboarding.is_gov_cloud +} + +resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_THREAT_DETECTION" + enabled = true + components = [module.event-bridge.event_bridge_component_id] + depends_on = [module.event-bridge] +} + +resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" + enabled = true + components = [module.event-bridge.event_bridge_component_id] + depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture] +} diff --git a/test/examples/organization/onboarding_with_cspm_gov.tf b/test/examples/organization/onboarding_with_cspm_gov.tf new file mode 100644 index 0000000..e1757f0 --- /dev/null +++ b/test/examples/organization/onboarding_with_cspm_gov.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.37" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "https://secure-staging.sysdig.com" + sysdig_secure_api_token = "" +} + +provider "aws" { + region = "us-gov-east-1" + allowed_account_ids = ["123456789101"] +} + +module "onboarding" { + source = "../../../modules/onboarding" + organizational_unit_ids = ["ou-ks5g-dofso0kc"] + is_organizational = true + is_gov_cloud = true +} + +module "config-posture" { + source = "../../../modules/config-posture" + org_units = module.onboarding.organizational_unit_ids + is_organizational = module.onboarding.is_organizational + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id + is_gov_cloud = true +} + +resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_CONFIG_POSTURE" + enabled = true + components = [module.config-posture.config_posture_component_id] + depends_on = [module.config-posture] +} \ No newline at end of file diff --git a/test/examples/single_account/event_bridge_gov.tf b/test/examples/single_account/event_bridge_gov.tf new file mode 100644 index 0000000..77548ea --- /dev/null +++ b/test/examples/single_account/event_bridge_gov.tf @@ -0,0 +1,27 @@ +#--------------------------------------------------------------------------------------------- +# Ensure installation flow for foundational onboarding has been completed before +# installing additional Sysdig features. +#--------------------------------------------------------------------------------------------- + +module "event-bridge" { + source = "../../../modules/integrations/event-bridge" + regions = ["us-gov-east-1"] + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id + is_gov_cloud = module.onboarding.is_gov_cloud +} + +resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_THREAT_DETECTION" + enabled = true + components = [module.event-bridge.event_bridge_component_id] + depends_on = [module.event-bridge] +} + +resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" + enabled = true + components = [module.event-bridge.event_bridge_component_id] + depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture] +} diff --git a/test/examples/single_account/onboarding_with_cspm_gov.tf b/test/examples/single_account/onboarding_with_cspm_gov.tf new file mode 100644 index 0000000..69dc5f6 --- /dev/null +++ b/test/examples/single_account/onboarding_with_cspm_gov.tf @@ -0,0 +1,37 @@ +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.37" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "https://secure-staging.sysdig.com" + sysdig_secure_api_token = "" +} + +provider "aws" { + region = "us-gov-east-1" + allowed_account_ids = ["123456789101"] +} + +module "onboarding" { + source = "../../../modules/onboarding" + is_gov_cloud = true +} + +module "config-posture" { + source = "../../../modules/config-posture" + sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id + is_gov_cloud = true +} + +resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { + account_id = module.onboarding.sysdig_secure_account_id + type = "FEATURE_SECURE_CONFIG_POSTURE" + enabled = true + components = [module.config-posture.config_posture_component_id] + depends_on = [module.config-posture] +} \ No newline at end of file From 8b6e127860da358ba4ea432c44918db5abac4a10 Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Thu, 31 Oct 2024 08:58:59 -0700 Subject: [PATCH 2/5] Review comments and fix test examples --- modules/config-posture/README.md | 2 +- modules/config-posture/main.tf | 4 ++-- modules/config-posture/variables.tf | 2 +- modules/integrations/event-bridge/README.md | 2 +- modules/integrations/event-bridge/main.tf | 6 +++--- modules/integrations/event-bridge/variables.tf | 2 +- modules/onboarding/README.md | 4 ++-- modules/onboarding/main.tf | 6 +++--- modules/onboarding/outputs.tf | 4 ++-- modules/onboarding/variables.tf | 2 +- test/examples/organization/event_bridge_gov.tf | 2 +- test/examples/organization/onboarding_with_cspm.tf | 8 ++++---- test/examples/organization/onboarding_with_cspm_gov.tf | 8 ++++---- test/examples/single_account/event_bridge_gov.tf | 2 +- test/examples/single_account/onboarding_with_cspm_gov.tf | 6 +++--- 15 files changed, 30 insertions(+), 30 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index dfc2dc8..aeaa2bc 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -56,7 +56,7 @@ No modules. | [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | | [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | | [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | (Required) The GUID of the management project or single project per sysdig representation | `string` | n/a | yes | -| [is\_gov\_cloud](#input\_is\_gov\_cloud) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no | +| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no | ## Outputs diff --git a/modules/config-posture/main.tf b/modules/config-posture/main.tf index b2a5a61..9cc04c9 100644 --- a/modules/config-posture/main.tf +++ b/modules/config-posture/main.tf @@ -19,8 +19,8 @@ resource "random_id" "suffix" { locals { config_posture_role_name = "sysdig-secure-posture-${random_id.suffix.hex}" - trusted_identity = var.is_gov_cloud ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity - arn_prefix = var.is_gov_cloud ? "arn:aws-us-gov" : "arn:aws" + trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws" } #---------------------------------------------------------- diff --git a/modules/config-posture/variables.tf b/modules/config-posture/variables.tf index 6539f57..7a4d955 100644 --- a/modules/config-posture/variables.tf +++ b/modules/config-posture/variables.tf @@ -46,7 +46,7 @@ variable "sysdig_secure_account_id" { description = "ID of the Sysdig Cloud Account to enable Config Posture for (incase of organization, ID of the Sysdig management account)" } -variable "is_gov_cloud" { +variable "is_gov_cloud_onboarding" { type = bool default = false description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not" diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md index f01c624..5ca12a9 100644 --- a/modules/integrations/event-bridge/README.md +++ b/modules/integrations/event-bridge/README.md @@ -74,7 +74,7 @@ No modules. | [tags](#input\_tags) | (Optional) Tags to be attached to all Sysdig resources. | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | | [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | | [sysdig\_secure\_account\_id](#input\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account) | `string` | n/a | yes | -| [is\_gov\_cloud](#input\_is\_gov\_cloud) | true/false whether Event Bridge should be deployed in a govcloud account/org or not | `bool` | `false` | no | +| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether Event Bridge should be deployed in a govcloud account/org or not | `bool` | `false` | no | ## Outputs diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf index a2eea6e..08fb529 100644 --- a/modules/integrations/event-bridge/main.tf +++ b/modules/integrations/event-bridge/main.tf @@ -27,9 +27,9 @@ data "sysdig_secure_tenant_external_id" "external_id" {} #----------------------------------------------------------------------------------------- locals { region_set = toset(var.regions) - trusted_identity = var.is_gov_cloud ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity - target_event_bus_arn = var.is_gov_cloud ? data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARNGov : data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN - arn_prefix = var.is_gov_cloud ? "arn:aws-us-gov" : "arn:aws" + trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + target_event_bus_arn = var.is_gov_cloud_onboarding ? data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARNGov : data.sysdig_secure_cloud_ingestion_assets.assets.aws.eventBusARN + arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws" } #----------------------------------------------------------------------------------------- diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf index 18c24fd..6d4fe8e 100644 --- a/modules/integrations/event-bridge/variables.tf +++ b/modules/integrations/event-bridge/variables.tf @@ -102,7 +102,7 @@ variable "sysdig_secure_account_id" { description = "ID of the Sysdig Cloud Account to enable Event Bridge integration for (incase of organization, ID of the Sysdig management account)" } -variable "is_gov_cloud" { +variable "is_gov_cloud_onboarding" { type = bool default = false description = "true/false whether EventBridge should be deployed in a govcloud account/org or not" diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index 4fecb33..a0f1ada 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -59,7 +59,7 @@ No modules. | [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | | [timeout](#input\_timeout) | Default timeout values for create, update, and delete operations | `string` | `"30m"` | no | | [account_alias](#input\_account\_alias) | Alias name of the AWS account | `string` | `""` | no | -| [is\_gov\_cloud](#input\_is\_gov\_cloud) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no | +| [is\_gov\_cloud\_onboarding](#input\_is\_gov\_cloud\_onboarding) | true/false whether secure-for-cloud should be deployed in a govcloud account/org or not | `bool` | `false` | no | ## Outputs @@ -68,7 +68,7 @@ No modules. | [sysdig\_secure\_account\_id](#output\_sysdig\_secure\_account\_id) | ID of the Sysdig Cloud Account created | | [is\_organizational](#output\_is\_organizational) | Boolean value to indicate if secure-for-cloud is deployed to an entire AWS organization or not | | [organizational\_unit\_ids](#output\_organizational\_unit\_ids) | organizational unit ids onboarded | -| [is\_gov\_cloud](#output\_is\_gov\_cloud) | Boolean value to indicate if the govcloud account/organization is onboarded | +| [is\_gov\_cloud\_onboarding](#output\_is\_gov\_cloud\_onboarding) | Boolean value to indicate if a govcloud account/organization is being onboarded | ## Authors diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index 46fab59..d34cd45 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -19,8 +19,8 @@ resource "random_id" "suffix" { locals { onboarding_role_name = "sysdig-secure-onboarding-${random_id.suffix.hex}" - trusted_identity = var.is_gov_cloud ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity - arn_prefix = var.is_gov_cloud ? "arn:aws-us-gov" : "arn:aws" + trusted_identity = var.is_gov_cloud_onboarding ? data.sysdig_secure_trusted_cloud_identity.trusted_identity.gov_identity : data.sysdig_secure_trusted_cloud_identity.trusted_identity.identity + arn_prefix = var.is_gov_cloud_onboarding ? "arn:aws-us-gov" : "arn:aws" } #---------------------------------------------------------- @@ -88,7 +88,7 @@ resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" { provider_id = data.aws_caller_identity.current.account_id provider_type = "PROVIDER_AWS" provider_alias = var.account_alias - regulatory_framework = var.is_gov_cloud ? "REGULATORY_FRAMEWORK_US_FEDRAMP" : "" + regulatory_framework = var.is_gov_cloud_onboarding ? "REGULATORY_FRAMEWORK_US_FEDRAMP" : "" component { type = "COMPONENT_TRUSTED_ROLE" diff --git a/modules/onboarding/outputs.tf b/modules/onboarding/outputs.tf index a806edd..857f898 100644 --- a/modules/onboarding/outputs.tf +++ b/modules/onboarding/outputs.tf @@ -13,7 +13,7 @@ output "organizational_unit_ids" { description = "organizational unit ids to onboard" } -output "is_gov_cloud" { - value = var.is_gov_cloud +output "is_gov_cloud_onboarding" { + value = var.is_gov_cloud_onboarding description = "onboard the govcloud account/organization" } \ No newline at end of file diff --git a/modules/onboarding/variables.tf b/modules/onboarding/variables.tf index 7f67520..b38f1c3 100644 --- a/modules/onboarding/variables.tf +++ b/modules/onboarding/variables.tf @@ -47,7 +47,7 @@ variable "account_alias" { default = "" } -variable "is_gov_cloud" { +variable "is_gov_cloud_onboarding" { type = bool default = false description = "true/false whether secure-for-cloud should be deployed in a govcloud account/org or not" diff --git a/test/examples/organization/event_bridge_gov.tf b/test/examples/organization/event_bridge_gov.tf index e20a041..cfe3414 100644 --- a/test/examples/organization/event_bridge_gov.tf +++ b/test/examples/organization/event_bridge_gov.tf @@ -9,7 +9,7 @@ module "event-bridge" { sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id is_organizational = module.onboarding.is_organizational org_units = module.onboarding.organizational_unit_ids - is_gov_cloud = module.onboarding.is_gov_cloud + is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding } resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { diff --git a/test/examples/organization/onboarding_with_cspm.tf b/test/examples/organization/onboarding_with_cspm.tf index 56b5a0a..9ab29b3 100644 --- a/test/examples/organization/onboarding_with_cspm.tf +++ b/test/examples/organization/onboarding_with_cspm.tf @@ -18,16 +18,16 @@ provider "aws" { } module "onboarding" { - source = "../../../modules/onboarding" + source = "../../../modules/onboarding" organizational_unit_ids = ["ou-ks5g-dofso0kc"] - is_organizational = true + is_organizational = true } module "config-posture" { source = "../../../modules/config-posture" - org_units = module.onboarding.organizational_unit_ids - is_organizational = module.onboarding.is_organizational sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id + org_units = ["ou-ks5g-dofso0kc"] + is_organizational = true } resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { diff --git a/test/examples/organization/onboarding_with_cspm_gov.tf b/test/examples/organization/onboarding_with_cspm_gov.tf index e1757f0..09092c5 100644 --- a/test/examples/organization/onboarding_with_cspm_gov.tf +++ b/test/examples/organization/onboarding_with_cspm_gov.tf @@ -21,15 +21,15 @@ module "onboarding" { source = "../../../modules/onboarding" organizational_unit_ids = ["ou-ks5g-dofso0kc"] is_organizational = true - is_gov_cloud = true + is_gov_cloud_onboarding = true } module "config-posture" { source = "../../../modules/config-posture" - org_units = module.onboarding.organizational_unit_ids - is_organizational = module.onboarding.is_organizational sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - is_gov_cloud = true + org_units = ["ou-ks5g-dofso0kc"] + is_organizational = true + is_gov_cloud_onboarding = true } resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { diff --git a/test/examples/single_account/event_bridge_gov.tf b/test/examples/single_account/event_bridge_gov.tf index 77548ea..ba068a5 100644 --- a/test/examples/single_account/event_bridge_gov.tf +++ b/test/examples/single_account/event_bridge_gov.tf @@ -7,7 +7,7 @@ module "event-bridge" { source = "../../../modules/integrations/event-bridge" regions = ["us-gov-east-1"] sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - is_gov_cloud = module.onboarding.is_gov_cloud + is_gov_cloud_onboarding = module.onboarding.is_gov_cloud_onboarding } resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { diff --git a/test/examples/single_account/onboarding_with_cspm_gov.tf b/test/examples/single_account/onboarding_with_cspm_gov.tf index 69dc5f6..c34b571 100644 --- a/test/examples/single_account/onboarding_with_cspm_gov.tf +++ b/test/examples/single_account/onboarding_with_cspm_gov.tf @@ -18,14 +18,14 @@ provider "aws" { } module "onboarding" { - source = "../../../modules/onboarding" - is_gov_cloud = true + source = "../../../modules/onboarding" + is_gov_cloud_onboarding = true } module "config-posture" { source = "../../../modules/config-posture" sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id - is_gov_cloud = true + is_gov_cloud_onboarding = true } resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { From 5152a0fbe765b107c2958e5e811553f9655ac5d7 Mon Sep 17 00:00:00 2001 From: Ravina Dhruve <136399755+ravinadhruve10@users.noreply.github.com> Date: Thu, 7 Nov 2024 08:07:37 -0800 Subject: [PATCH 3/5] Update onboarding module with explicit enum --- modules/onboarding/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/onboarding/main.tf b/modules/onboarding/main.tf index d34cd45..5c2ed00 100644 --- a/modules/onboarding/main.tf +++ b/modules/onboarding/main.tf @@ -88,7 +88,7 @@ resource "sysdig_secure_cloud_auth_account" "cloud_auth_account" { provider_id = data.aws_caller_identity.current.account_id provider_type = "PROVIDER_AWS" provider_alias = var.account_alias - regulatory_framework = var.is_gov_cloud_onboarding ? "REGULATORY_FRAMEWORK_US_FEDRAMP" : "" + provider_partition = var.is_gov_cloud_onboarding ? "PROVIDER_PARTITION_AWS_GOVCLOUD" : "" component { type = "COMPONENT_TRUSTED_ROLE" From c6dc0e98e21eb67a787599bbdb838c8b8d02121f Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Mon, 11 Nov 2024 15:28:38 -0800 Subject: [PATCH 4/5] Update provider version --- modules/config-posture/README.md | 1 + modules/config-posture/versions.tf | 4 ++-- modules/integrations/event-bridge/README.md | 2 +- modules/integrations/event-bridge/versions.tf | 4 ++-- modules/onboarding/README.md | 2 ++ modules/onboarding/versions.tf | 4 ++-- 6 files changed, 10 insertions(+), 7 deletions(-) diff --git a/modules/config-posture/README.md b/modules/config-posture/README.md index aeaa2bc..30606d8 100644 --- a/modules/config-posture/README.md +++ b/modules/config-posture/README.md @@ -19,6 +19,7 @@ If instrumenting an AWS Gov account/organization, IAM policies and resources wil |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 5.60.0 | +| [sysdig](#requirement\_sysdig) | ~>1.39 | ## Providers diff --git a/modules/config-posture/versions.tf b/modules/config-posture/versions.tf index 623d009..d9b10c4 100644 --- a/modules/config-posture/versions.tf +++ b/modules/config-posture/versions.tf @@ -6,8 +6,8 @@ terraform { version = ">= 5.60.0" } sysdig = { - source = "local/sysdiglabs/sysdig" // TODO: remove after test - version = "~> 1.0.0" + source = "sysdiglabs/sysdig" + version = "~> 1.39" } } } diff --git a/modules/integrations/event-bridge/README.md b/modules/integrations/event-bridge/README.md index 5ca12a9..49ecbcb 100644 --- a/modules/integrations/event-bridge/README.md +++ b/modules/integrations/event-bridge/README.md @@ -20,7 +20,7 @@ If instrumenting an AWS Gov account/organization, IAM policies and event bridge |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 5.60.0 | -| [sysdig](#requirement\_sysdig) | +| [sysdig](#requirement\_sysdig) | ~>1.39 | | [random](#requirement\_random) | >= 3.1 | diff --git a/modules/integrations/event-bridge/versions.tf b/modules/integrations/event-bridge/versions.tf index 6993c15..244a963 100644 --- a/modules/integrations/event-bridge/versions.tf +++ b/modules/integrations/event-bridge/versions.tf @@ -6,8 +6,8 @@ terraform { version = ">= 5.60.0" } sysdig = { - source = "local/sysdiglabs/sysdig" // TODO: remove after test - version = "~> 1.0.0" + source = "sysdiglabs/sysdig" + version = "~> 1.39" } random = { source = "hashicorp/random" diff --git a/modules/onboarding/README.md b/modules/onboarding/README.md index a0f1ada..eeda86c 100644 --- a/modules/onboarding/README.md +++ b/modules/onboarding/README.md @@ -19,6 +19,8 @@ If instrumenting an AWS Gov account/organization, IAM policies and resources wil |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 5.60.0 | +| [random](#requirement\_random) | >= 3.1 | +| [sysdig](#requirement\_sysdig) | ~>1.39 | ## Providers diff --git a/modules/onboarding/versions.tf b/modules/onboarding/versions.tf index 960bfa8..86d990d 100644 --- a/modules/onboarding/versions.tf +++ b/modules/onboarding/versions.tf @@ -10,8 +10,8 @@ terraform { version = ">= 3.1" } sysdig = { - source = "local/sysdiglabs/sysdig" // TODO: remove after test - version = "~> 1.0.0" + source = "sysdiglabs/sysdig" + version = "~> 1.39" } } } From e2a85bb6b29860950b94db13961301c47ca0174b Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Tue, 12 Nov 2024 12:50:07 -0800 Subject: [PATCH 5/5] Update provider version in test examples Since the gov support requires atleast 1.39 provider version in TF modules, updating the test example snippets. --- test/examples/organization/onboarding_with_cspm_gov.tf | 4 ++-- test/examples/single_account/onboarding_with_cspm_gov.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/examples/organization/onboarding_with_cspm_gov.tf b/test/examples/organization/onboarding_with_cspm_gov.tf index 09092c5..f5d45d8 100644 --- a/test/examples/organization/onboarding_with_cspm_gov.tf +++ b/test/examples/organization/onboarding_with_cspm_gov.tf @@ -2,7 +2,7 @@ terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" - version = "~> 1.37" + version = "~> 1.39" } } } @@ -38,4 +38,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { enabled = true components = [module.config-posture.config_posture_component_id] depends_on = [module.config-posture] -} \ No newline at end of file +} diff --git a/test/examples/single_account/onboarding_with_cspm_gov.tf b/test/examples/single_account/onboarding_with_cspm_gov.tf index c34b571..f3de5d1 100644 --- a/test/examples/single_account/onboarding_with_cspm_gov.tf +++ b/test/examples/single_account/onboarding_with_cspm_gov.tf @@ -2,7 +2,7 @@ terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" - version = "~> 1.37" + version = "~> 1.39" } } } @@ -34,4 +34,4 @@ resource "sysdig_secure_cloud_auth_account_feature" "config_posture" { enabled = true components = [module.config-posture.config_posture_component_id] depends_on = [module.config-posture] -} \ No newline at end of file +}